feat: restrict access to categories

2025-12-22 09:37:54 +00:00 · 2024-05-21 21:39:17 +02:00
parent 3f288b2d43
commit 51cb73f3d8
2 changed files with 31 additions and 7 deletions
--- a/firestore.rules
+++ b/firestore.rules
@@ -19,6 +19,10 @@ service cloud.firestore {
      return true;
    }

+    function noWriteAccess() {
+      return false;
+    }
+
    match /aggregations_rev20220126/{document=**} {
      allow read: if isPublicReadable();
      allow write: if isPublicWritable();
@@ -36,7 +40,7 @@ service cloud.firestore {

    match /question_categories_rev20231130/{document=**} {
      allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
    }

    match /questions_rev20230926/{document=**} {
@@ -46,7 +50,7 @@ service cloud.firestore {

    match /research_categories_rev20221224/{document=**} {
      allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
    }

    match /research_rev20201020/{document=**} {
@@ -84,12 +88,12 @@ service cloud.firestore {

    match /v3_categories/{document=**} {
      allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
    }

    match /v3_tags/{document=**} {
      allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
    }

    match /v3_users/{userId} {
--- a/packages/security-rules/tests/general.spec.ts
+++ b/packages/security-rules/tests/general.spec.ts
@@ -105,14 +105,11 @@ describe('community platform', () => {
  const publicCollections = [
    'aggregations_rev20220126',
    'discussions_rev20231022',
-    'question_categories_rev20231130',
    'questions_rev20230926',
-    'research_categories_rev20221224',
    'research_rev20201020',
    'user_notifications_rev20221209',
    'v3_howtos',
    'v3_mappins',
-    'v3_tags',
    'v3_users',
  ]

@@ -131,4 +128,27 @@ describe('community platform', () => {
      })
    })
  })
+
+  const readableCollections = [
+    'v3_categories',
+    'v3_tags',
+    'research_categories_rev20221224',
+    'question_categories_rev20231130',
+  ]
+
+  readableCollections.forEach((collection) => {
+    describe(`${collection}`, () => {
+      it(`${collection} allows READ`, async () => {
+        await assertSucceeds(getDoc(doc(unauthedDb, collection, 'bar')))
+      })
+
+      it(`${collection} does not allow WRITE`, async () => {
+        await assertFails(
+          setDoc(doc(unauthedDb, collection, 'bar'), {
+            email: '',
+          }),
+        )
+      })
+    })
+  })
 })